Saturday, March 16, 2013

Stuxnet, the first known cyber-weapon, found to have been introduced into Iran years earlier than originally thought

Symantec recently released a fascinating report on an early version of Stuxnet that it dubs version 0.5. It too appears to have been specifically developed to sabotage Iranian nuclear facilities by targeting the centrifuges hat perform uranium enrichment.

• Stuxnet 0.5 is the oldest known Stuxnet version to be analyzed, in the wild as early as November 2007 and in development as early as November 2005.
• Stuxnet 0.5 was less aggressive than Stuxnet versions 1.x and only spread through infected [Siemens Programmable Logic Controller (PLC)] Step 7 projects [which control centrifuges].
• Stuxnet 0.5 contains an alternative attack strategy, closing valves within the uranium enrichment facility at Natanz, Iran, which would have caused serious damage to the centrifuges and uranium enrichment system as a whole.

The success of Stuxnet 0.5 remains unknown. However, the chart in figure 4 references uranium enrichment production at Natanz to key milestones of Stuxnet development. Interesting events are dips in feed or production amounts and lower levels of production given the same or greater feed amounts (shown as gaps between the two lines).

...When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, Iran, we documented two attack strategies. We also noted that the one targeting 417 PLC devices was disabled. We have now obtained an earlier version of Stuxnet that contains the fully operational 417 PLC device attack code.

After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges. The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems. In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally. It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.

...This version of Stuxnet extensively fingerprints the target system to determine whether it is in the right location before it will activate the payload. To make this determination, Stuxnet checks if the infected system is running Step 7 software and parses the symbol table of the target system. The symbol table holds identification labels for each physical device in the target system. For example, each valve, pump, and sensor will have a unique identifier. The symbol labels loosely follow the ANSI/ISA-5.1 Instrumentation Symbols and Identification standard, which is used in piping and instrumentation diagrams (P&ID)...

...During fingerprinting, Stuxnet keeps a counter for each device that matches the expected configuration. Once the counter surpasses a particular threshold, Stuxnet considers the system that is being fingerprinted to match the target system configuration and will inject the attack PLC code...

...Similar to version 1.x of Stuxnet, the 417 PLC device attack code consists of a state machine with eight possible states. The states conduct an attack by closing valves within six of the possible 18 cascades...

State 0 – Wait: Perform system identification and wait for the enrichment process to reach steady-state before attacking (approximately 30 days).

State 2 – Attack centrifuge valves: Begin replaying fake input signals. Close valves on most centrifuges with the exception of the initial feed stage valves.

State 3 – Secondary pressure reading: Open valves in the final stage of a single cascade to obtain a low pressure reading.

State 4 – Wait for pressure change: Wait for desired pressure change or time limit. This can take up to two hours.

State 5 – Attack auxiliary valves: Open all auxiliary valves except valves believed to be near the first feed stage (stage 10). Waits for three minutes in this state.

State 6 – Wait for attack completion: Waits for six minutes whilst preventing any state changes.

State 7 – Finish: Reset and return to state zero.

By closing almost all valves except the initial feed stage valves, UF6 will continue to flow into the system. This act alone may cause damage to the centrifuges themselves. However, the attack expects the pressure to reach five times the normal operating pressure. At this pressure, significant damage to the uranium enrichment system could occur and the UF6 gas could even revert to a solid.

Whether the attack succeeded in this manner or not remains unclear. Even if the attack did succeed, the attackers decided to switch to a different strategy, of attacking the speed of the centrifuges themselves instead, in Stuxnet 1.x versions.

One can only hope that Stuxnet badly wounded the Iranian nuclear effort.